Requirements
- OWASP Zap
- Frida
- Rooted Android Phone
⚠️ Since the apps we are interested in are not debuggable we have to be root
Installing Requirements
-
Install OWASP Zap
brew install owasp-zap
✅ It is available on basically all platforms: https://www.zaproxy.org/download/
-
Install Frida
pip3 install frida-tools
Configure your phone to work with OWASP Zap
-
Open “Options”
-
In “Options” click “Local Proxies” and add a new proxy with a IP address that is accessible from the phone.
NOTE: Be sure to enable “Behind NAT” if you are using a private IP (you should be)
-
Export the certificate by going to “Dynamic SSL Certificate” and saving the certificate to a path on your machine.
-
Add the cert to your Android phone. I used
adb push
and then installed it in settings -
Add the proxy to your network config. Go to “Wi-Fi” → click on the ⚙️ next to your network → click on the ✏️ → Proxy change “None” to “Manual and add the IP address and port that you configured in Step 2
Setup and Run Frida
- On a rooted Android phone install
frida-server
with the instructions here: https://frida.re/docs/android/ or use https://github.com/ViRb3/magisk-frida to install it for you and run it on boot - Get the app id of the app you are interested in by running:
frida-ps -Ua
- Download the unpinning script for Frida here: https://raw.githubusercontent.com/httptoolkit/frida-android-unpinning/main/frida-script.js
- Run and instrument the app with
frida --no-pause -U -l ./frida-script.js -f <YOUR_APP>
- You should see connections from the app start to appear in your OWASP ZAP history window
Congratulations you now have access to the traffic! Now please go out and make a new Home Assistant integration for your favorite IoT crap.